Symantec Security Information Manager 4.5 Deployment Planning Guide

Transcription

1 Symantec Security Information Manager 4.5 Deployment Planning Guide

2 Symantec Security Information Manager 4.5 Deployment Planning Guide The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Documentation version 1.0 Legal Notice Copyright 2007 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, LiveUpdate, Symantec AntiVirus, and Symantec Security Response are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. Microsoft, Windows, Windows 2000, Windows 2003, and Windows XP are trademarks or registered trademarks of Microsoft Corporation. This product includes software that was developed by the Apache Software Foundation. Other brands and product names mentioned in this manual may be trademarks or registered trademarks of their respective companies and are hereby acknowledged. BindView is a registered trademark of Symantec Corporation. Check Point FireWall-1 is a registered trademark of Check Point Software Technologies Ltd. Cisco PIX is a registered trademark of Cisco Systems, Inc. worldwide. Juniper Networks NetScreen is a registered trademark, and NetScreen Security Manager is a trademark of Juniper Networks, Inc. in the United States and other countries. Snort is a registered trademark of Sourcefire, Inc. Dell is a registered trademark of Dell, Inc. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

3 The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR and subject to restricted rights as defined in FAR Section "Commercial Computer Software - Restricted Rights" and DFARS , "Rights in Commercial Computer Software or Commercial Computer Software Documentation", as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement. Symantec Corporation Stevens Creek Blvd. Cupertino, CA

4 Technical Support Symantec Technical Support maintains support centers globally. Technical Support s primary role is to respond to specific queries about product feature and function, installation, and configuration. The Technical Support group also authors content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates. Symantec s maintenance offerings include the following: A range of support options that give you the flexibility to select the right amount of service for any size organization A telephone and web-based support that provides rapid response and up-to-the-minute information Upgrade insurance that delivers automatic software upgrade protection Global support that is available 24 hours a day, 7 days a week worldwide. Support is provided in a variety of languages for those customers that are enrolled in the Platinum Support program Advanced features, including Technical Account Management For information about Symantec s Maintenance Programs, you can visit our Web site at the following URL: Contacting Technical Support Customers with a current maintenance agreement may access Technical Support information at the following URL: Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to recreate the problem. When you contact Technical Support, please have the following information available: Product release level Hardware information

5 Available memory, disk space, and NIC information Operating system Version and patch level Network topology Router, gateway, and IP address information Problem description: Error messages and log files Troubleshooting that was performed before contacting Symantec Recent software configuration changes and network changes Licensing and registration Customer service If your Symantec product requires registration or a license key, access our technical support Web page at the following URL: Customer service information is available at the following URL: Customer Service is available to assist with the following types of issues: Questions regarding product licensing or serialization Product registration updates such as address or name changes General product information (features, language availability, local dealers) Latest information about product updates and upgrades Information about upgrade insurance and maintenance contracts Information about the Symantec Value License Program Advice about Symantec's technical support options Nontechnical presales questions Issues that are related to CD-ROMs or manuals

6 Maintenance agreement resources Additional Enterprise services If you want to contact Symantec regarding an existing maintenance agreement, please contact the maintenance agreement administration team for your region as follows: Asia-Pacific and Japan: Europe, Middle-East, and Africa: North America and Latin America: Symantec offers a comprehensive set of services that allow you to maximize your investment in Symantec products and to develop your knowledge, expertise, and global insight, which enable you to manage your business risks proactively. Enterprise services that are available include the following: Symantec Early Warning Solutions These solutions provide early warning of cyber attacks, comprehensive threat analysis, and countermeasures to prevent attacks before they occur. Managed Security Services Consulting Services Educational Services These services remove the burden of managing and monitoring security devices and events, ensuring rapid response to real threats. Symantec Consulting Services provide on-site technical expertise from Symantec and its trusted partners. Symantec Consulting Services offer a variety of prepackaged and customizable options that include assessment, design, implementation, monitoring and management capabilities, each focused on establishing and maintaining the integrity and availability of your IT resources. Educational Services provide a full array of technical training, security education, security certification, and awareness communication programs. To access more information about Enterprise services, please visit our Web site at the following URL: Select your country or language from the site index.

7 Contents Technical Support Chapter 1 Chapter 2 Chapter 3 Introducing Symantec Security Information Manager deployment planning About this guide Who should use this guide Where to get more information Understanding Symantec Security Information Manager About Symantec Security Information Manager Information Manager definitions Information Manager components About security products and devices About event collectors About Information Manager appliances About the Symantec Global Intelligence Network About the Information Manager Web Service Preparing to deploy Information Manager Understanding the phases of an Information Manager deployment About the planning phase About high availability deployments Determining how many appliances you will need Gathering information about your network Acquiring information about administrative roles and organizational units Understanding the event and incident load that Information Manager will handle Preparing the site and administration for deployment Recommended third-party tools and technologies Preparing to use the Information Manager Web Service About the installation phase... 28

8 8 Contents About the configuration phase Configuring and updating the appliance Configuring the collectors Customizing Information Manager with your resource data About the tuning phase About the knowledge transfer and deliverable creation phase About post-deployment optimization Chapter 4 Chapter 5 Chapter 6 Chapter 7 Planning for event collection and archiving Planning tasks for event collection and archiving Event collection and archive planning considerations How to estimate the event generation rate About filtering and aggregating events at the event collector About event archive filters How to estimate event archive storage requirements Event data retention compliance options About multiple event archives Event collection and archiving checklist Planning for event correlation and incident management Event correlation planning tasks Event correlation considerations Specifying networks and systems About CIA ratings About policies About vulnerability scanners Customizing correlation rules and filters Event correlation checklist Planning for administration Administration planning tasks About subdomains About creating and assigning roles About administrative roles About event monitoring and incident management roles Administration checklist Deployment examples Deployment scenarios overview Integrated security management scenario overview... 53

9 Contents 9 Antivirus and firewall and event traffic Network and asset identification Correlation rules and filters Administrative and monitoring roles About installation and configuration Deployment summary Reports Event correlation scenarios overview Distributing Information Manager processing using two appliances Distributing Information Manager processing using three or more appliances Appendix A Appendix B Deployment planning tools Estimation worksheets Event and incident rate examples Event rate worksheet Event archive storage worksheet Deployment planning checklists Installation tables Information Manager configuration tables Understanding the event life cycle About the event life cycle Glossary Index

10 10 Contents

11 Chapter 1 Introducing Symantec Security Information Manager deployment planning This chapter includes the following topics: About this guide Who should use this guide Where to get more information About this guide The Symantec Security Information Manager Deployment Planning Guide provides guidelines for the deployment of Symantec Security Information Manager with Symantec event collectors. Specific installation and administrative tasks are beyond the scope of this document. This guide includes guidance to help you complete the following deployment planning tasks: Prepare your organization for an Information Manager deployment. Gather the needed pre-deployment information. Estimate the security event traffic in your environment to determine the optimal Information Manager collection architecture.

12 12 Introducing Symantec Security Information Manager deployment planning Who should use this guide Determine how to filter and aggregate security events at each tier of your deployment. Evaluate your data retention policies to estimate your data storage requirements. Identify and rate the assets in your environment to accurately correlate and prioritize security incidents. Identify the domains and roles that are necessary to segregate privileges in your organization. This guide includes deployment scenarios that illustrate the following features: Integrated security management Data compliance Security event correlation on multiple appliances Who should use this guide This guide is intended for individuals who are responsible for planning and resourcing an Information Manager deployment in their enterprise. This guide can also be used by individuals who want to evaluate how Information Manager fits into their organization. Where to get more information For more information about Symantec Security Information Manager, visit the Symantec Technical Support Web site at the following URL: The following documents are available: Symantec Security Information Manager Installation Guide Symantec Security Information Manager Administrator's Guide Symantec Security Information Manager User's Guide Symantec Security Information Manager Developer's Guide For more information about Symantec event collectors and product-specific white papers, contact your Symantec representative or visit Symantec support at the following Web site:

13 Chapter 2 Understanding Symantec Security Information Manager This chapter includes the following topics: About Symantec Security Information Manager Information Manager definitions Information Manager components About Symantec Security Information Manager Symantec Security Information Manager collects and archives security events from across the enterprise. These events are correlated with known asset vulnerabilities and current security information from the Global Intelligence Network. The resulting information provides the basis for real-time threat analysis and security incident identification. Information Manager archives the security data for forensic and regulatory compliance purposes. With Information Manager, you can perform the following enterprise security operations: Collect and analyze large amounts of security data from across the enterprise. Archive event data in a compressed and searchable format. Perform multi-tier event filtering and aggregation. Identify threats across multiple vendors' security products. Correlate internal activity with global threats.

14 14 Understanding Symantec Security Information Manager Information Manager definitions Associate assets with policies to prioritize security incidents. Demonstrate compliance with security and data retention policies. Remediate incidents with threat mitigation guidance and help-desk work flow. Information Manager definitions Definitions of the terms used in Information Manager can be found in the Glossary. Information Manager components The Information Manager solution has the following components: Security products and devices Event collectors Information Manager appliances Global Intelligence Network Figure 2-1 shows the Information Manager components and the flow of event data from the security products to Information Manager.

15 Understanding Symantec Security Information Manager Information Manager components 15 Figure 2-1 Information Manager components About security products and devices About event collectors The security products and devices in your enterprise can generate overwhelming amounts of security data. Many firewalls can generate over 500 GB of security data per day; intrusion detection systems can trigger over 250,000 alerting incidents per week. Most security products store event data in a proprietary format, accessible only by the tools that the security products provides. To secure your enterprise effectively, you need to collect, normalize, and analyze the data from all parts of your enterprise. Event collectors gather security events from a variety of event sources, such as databases, log files, and syslog applications. Event collectors translate the event

16 16 Understanding Symantec Security Information Manager Information Manager components data into a standard format, optionally filter and aggregate the events, and then send the events to Information Manager. You can configure event collectors to also send the event data in its original format. You install event collectors either on the security product computer or at a location with access to the security product events. To facilitate installation and set-up, event collectors for popular firewalls are preinstalled on the Information Manager appliance. After the event collector is registered with Information Manager, you can configure the event collector settings from the Information Manager console. The event collector settings include the event source specification and any event filter or aggregation rules. Symantec provides event collectors for the following types of products: Firewalls Routers, switches, and VPNs Intrusion detection and prevention systems Vulnerability scanners Web servers, filters, and proxies Databases Mail and groupware Enterprise antivirus Microsoft authentication services Windows and UNIX system logs For access to the extensive library of event collectors, visit Symantec support at the following Web site: About Information Manager appliances You can deploy one or more Information Manager appliances to satisfy the event gathering, archiving, and event correlation requirements for your enterprise. To account for traffic variation, a single Information Manager is only recommended for a security environment that generates up to 1,000 events per second (EPS) on average and that requires a maximum of 4 MB per day of event data storage. To increase your overall event processing rate, you can add multiple, load sharing Information Managers to your deployment. You can configure each appliance for dedicated event collection, event archiving, or event correlation. In most cases, using multiple appliances that share the event and incident processing load is preferred.

17 Understanding Symantec Security Information Manager Information Manager components 17 Information Manager offers two appliance models for deployment in your enterprise. The 9650 model is used primarily to manage integrated security information for small and medium enterprises. In deployments with multiple Information Managers, the 9650 model can be used for dedicated event correlation, or for dedicated event archiving. The 9630 model has less data storage and processing power than the 9650 model. The 9630 is used primarily to collect, filter, and forward events. You can configure either model to use direct attached storage (DAS), network attached storage (NAS), or a storage area network (SAN) for event archiving. Both models include the following event collectors: Check Point FireWall-1 Event Collector v4.2 Cisco PIX Event Collector v4.2 Generic Syslog Event Collector v4.2 Juniper NetScreen Firewall Event Collector v4.2 LiveUpdate v1.0 Snort Syslog Event Collector v4.2 Syslog Director v4.2 UNIX Syslog Event Collector v4.2 Table 2-1 describes the Information Manager hardware specifications. Table 2-1 Information Manager hardware specifications Specification Processor Memory Disk Ethernet NIC PCIe slots Information Manager GHz/4MB Cache Dual Xeon 8 GB RAM GB Raid GB Raid Information Manager GHz/4MB Cache Dual Xeon 8 GB RAM GB Raid About estimating system performance Determining the performance of an Incident Manager appliance or set of appliances is a process that is unique to every environment. Information Manager integrates with a wide range of event collectors, and by nature requires the customization

18 18 Understanding Symantec Security Information Manager Information Manager components of settings to match each environment. Since this is the case, the physical performance depends greatly on the collectors and settings that you choose. This section provides examples of storage capacity and events per second (EPS) rates under optimal circumstances. For general planning purposes, you can create a rough estimate of system performance by using the following tables. Note however that system performance varies widely from these figures depending on your environment. Your estimates will need to be adjusted over time as your policies, settings, and storage requirements are refined. Table 2-2 provides examples of common EPS rates for the Information Manager These numbers are intended as sample guidelines only, and vary greatly with each deployment. The table compares EPS rates for an appliance that receives multiple types of event data (such as from multiple types of collectors) with an appliance that is processing a single type of event data (in this case, PIX events). Table 2-2 Information Manager 9630 EPS rates Test case Event Router with encryption enabled; events are forwarded to Event service of remote appliance Event Router with encryption disabled; events are forwarded to Event service of remote appliance Event Router with encryption disabled; events are forwarded to Correlation service of remote appliance Mixed data PIX events Table 2-3 provides examples of common EPS rates for the Information Manager These numbers are intended as sample guidelines only, and vary greatly with each deployment. The table compares EPS rates for an appliance that receives multiple types of event data (such as from multiple types of collectors) with an appliance that is processing a single type of event data (in this case, PIX events). Table 2-3 Information Manager 9650 EPS rates Test case Archive Event Summarizers Event Correlation Event Router with encryption enabled; events are forwarded to Event service of remote appliance Mixed data PIX events

19 Understanding Symantec Security Information Manager Information Manager components 19 Table 2-3 Test case Information Manager 9650 EPS rates (continued) Mixed data PIX events Event Router with encryption disabled; events are forwarded to Event service of remote appliance Event Router with encryption disabled; events are forwarded to Correlation service of remote appliance END-2END (all-in-one appliance) Table 2-4 describes, for a variety of event rates, the number of days that Information Manager is able to retain events. Table 2-4 Event rates and retention lengths Event Rate(EPS) Event storage per day Days retained Information Manager 9630 Days retained Information Manager EPS.4 GB EPS 2 GB EPS 4 GB EPS 6 GB EPS 8 GB 8 64 About the Symantec Global Intelligence Network Information Manager has access to current vulnerability, attack pattern, and threat resolution information from the Threat and Vulnerability Management service. The Symantec Global Intelligence Network powers the Threat and Vulnerability Management service. The Symantec Global Intelligence Network is a comprehensive collection of vendor-neutral security data sources. The service is an authoritative source of information about known and emerging vulnerabilities, threats, risks, and global attack activity. For more information about the Threat and Vulnerability Management service, including Information Manager configuration and license management, see the Symantec Security Information Manager Administrator's Guide.

20 20 Understanding Symantec Security Information Manager Information Manager components About the Information Manager Web Service Information Manager provides a Web Service to securely access and update the data that is stored on an appliance. You can use the Web Service to publish event, asset, incident, ticket, and system setting information, or to integrate Information Manager with help desk, inventory, or notification applications. For more information about how to integrate Information Manager with other enterprise applications, see the Symantec Security Information Manager Developer's Guide.

21 Chapter 3 Preparing to deploy Information Manager This chapter includes the following topics: Understanding the phases of an Information Manager deployment About the planning phase About the installation phase About the configuration phase About the tuning phase About the knowledge transfer and deliverable creation phase About post-deployment optimization Understanding the phases of an Information Manager deployment A Symantec Security Information Manager deployment goes through a series of high-level conceptual phases. Dividing the deployment tasks into logical groups helps to define the duties that are required during each phase. Using this methodology should help you to gain an understanding of the time and resources that are necessary during each stage of the deployment. Figure 3-1 illustrates the conceptual phases of deployment. Note that in this diagram, the knowledge transfer and deliverable creation tasks are optional, but recommended. In some cases, enterprises complete the knowledge transfer and deliverable creation tasks by using Symantec Consulting Services. Symantec Consulting Services can provide guidance throughout the deployment lifecycle.

22 22 Preparing to deploy Information Manager About the planning phase Figure 3-1 Information Manager Deployment Phases About the planning phase The planning phase of an Information Manager deployment involves not only grasping the benefits of adding Information Manager to your network, but gaining a thorough understanding of the networks and systems that you are protecting. Each environment is unique, but in general, the pre-installation tasks related to planning for an Information Manager deployment include the following: Determining how many appliances you will need Gathering information about your network Acquiring information about administrative roles and organizational units Understanding the event and incident load that Information Manager will handle Preparing the site and administration for deployment In general, you should also outline the business objectives of the deployment. Determine the deployment success criteria. What are the security objectives of a successful Information Manager deployment? What are the measurable units that can be used to determine that Information Manager is meeting security and business expectations? The Symantec Information Manager Deployment Planning Guide includes a set of estimation worksheets and planning checklists that you can use during the planning phase. See Estimation worksheets on page 65. See Deployment planning checklists on page 68.

23 Preparing to deploy Information Manager About the planning phase 23 About high availability deployments You can deploy redundant Information Manager systems to ensure high availability of security data. Information Manager provides the following high availability features: Information Manager agent failover and failback Event collectors use the Information Manager agent to communicate with Information Manager. You can specify a list of Information Managers for the agent to contact if the primary Information Manager is unavailable. When the primary Information Manager is unavailable, the agent sends events to the first alternate Information Manager. When the connection to the primary Information Manager is re-established, the agent then fails back to the original Information Manager. Configuring the agent for failover and failback ensures uninterrupted event delivery and archiving. Redundant event archives Directory replicas To maintain multiple copies of your event archives, you can configure an Information Manager to forward all locally archived events to an alternate Information Manager for storage. If the Information Manager is unavailable, the event data that is ordinarily accessible on that Information Manager will be available on the alternate. If you also configure the agents that communicate with the Information Manager to failover to the alternate Information Manager, you will have uninterrupted access to both current and historical event data. The Information Manager directory holds user and product administration data. In a subdomain that contains multiple Information Managers, one Information Manager hosts the directory service, and the directories that are located on the other Information Managers are dormant. To safeguard your directory data, you can configure one or more of the dormant directories to be read-write replicas of the live directory. If your sub-domains are defined geographically, you would typically position the replica in the same geographic location as the live directory. You can configure the Information Managers in the subdomain to failover to the replica if the Information Manager that hosts the directory becomes unavailable, and to failback to the original directory when it becomes available again. For more information about how to configure Information Manager for high availability, see the Symantec Security Information Manager Administrator's Guide.

24 24 Preparing to deploy Information Manager About the planning phase Determining how many appliances you will need Information Manager is a scalable solution that meets the needs of businesses of all sizes. This includes businesses ranging from relatively few but mission critical nodes, to enterprise level environments with nodes in the thousands. Each environment is unique, and requires careful consideration of the event, incident, and storage handling needs for that environment. In general, the event collection appliances are usually the first types of appliances that must be scaled up. An appliance that is configured to perform archiving and event correlation tasks can typically handle event data from more than one correlation appliance, when needed. Estimating how many appliances you need typically involves addressing the following: How many events are generated in a typical 24 hour cycle? How many events occur during higher traffic times, such as the beginning and end of a workday? During a real security incident, such as a virus outbreak, what kind of event load do you anticipate? What are your data archiving requirements? According to the policies you need to comply with, how long must you store event data? If you have multiple geographic locations, do you need an appliance or set of appliances at each location? For example, you may need a collection appliance at one location that forwards events to an event archiving and correlation appliance at a central location. Do you have a large number of security devices or software solutions that require event collectors? Depending on your environment, you may need to scale up the number of collection appliances that collect event data. Gathering information about your network To deploy Information Manager, you must gather information on the existing resources on your network. Tasks that you must complete for this phase usually include the following: Assemble or acquire a current network diagram to understand the physical and logical topologies of your network. During the configuration phase, this diagram can be used by an administrator to categorize and prioritize assets using the Information Manager console. This process should include identifying the resources that will send event data to Information Manager for analysis. Gather information for the appliance on the IP addresses for the management port, netmask, gateway, DNS 1, DNS 2, and Fully Qualified Domain Name. If

25 Preparing to deploy Information Manager About the planning phase 25 you need remote access, an additional IP address must be provided for the Remote Access port. Gather information on the specific collector product groups that will provide data for Information Manager. For each group, you should have a list that includes the software version, patch level, operating system, and the number of servers that use the same configuration. Determine the speed and duplex level of the switch to which the appliance(s) will connect. During installation and configuration, you can either manually set these values or choose Auto-configure. In some cases, if Auto-configure fails to correctly identify these values, they are needed by Symantec Technical Support to provide assistance. Identify and prepare the physical hardware that will be used with Information Manager, including gathering relevant network connectivity information. For example, you should identify the computers that will be used to communicate with Information Manager using Information Manager collectors and agents. You should identify off-box storage requirements and network paths that may require such adjustments as port reconfiguration. You should also identify the computers that will have access to the Information Manager administrative console. The physical requirements of an appliance should also be accounted for. For example, you will need a 2U rack space, dual power, a KVM switch, and the appropriate cabling. Note that the appliance weighs approximately 80 lbs. If you use Symantec AntiVirus or Symantec Client Security, you should also address the following: How many AntiVirus Primary/Parent servers does your environment contain? What version of Symantec AntiVirus Corporate Edition is installed on each Primary/Parent servers? Acquiring information about administrative roles and organizational units Information Manager provides organizational tools that allow you to group individuals into logical roles and business units. Creating roles and groups helps to simplify the dissemination of information, updates, and alerts when necessary. It also helps administrators to be able to respond quickly and accurately as events on the network occur. Tasks that you must complete for this phase usually include the following: Create or gather a current organizational chart that will be used in the Information Manager console to group your organizations into logical units.

26 26 Preparing to deploy Information Manager About the planning phase Determine the administrative roles and divisions of labor that you may need to implement as part of the deployment. For example, you may use multiple administrators that each focus on a specific area of knowledge. See About administrative roles on page 51. Understanding the event and incident load that Information Manager will handle Estimating event and incident load is perhaps the most challenging set of tasks that are involved in the planning phase. Each environment consists of entirely unique data, ranging from varying data packet size to the priorities that determine the importance of an incident. Although this portion of planning is highly subjective, there are a few general guidelines that can be used to help create realistic estimations of load. Tasks that you must complete for this phase usually include the following: Analyze the raw event data that is generated to determine volume and quality. For example, in most environments that are locked down behind a firewall, the volume of raw event data can be reduced by 80 to 90 percent by filtering false positives. Identify and begin to prioritize the initial types of incidents that will be relevant to your environment. Assemble a list of policy requirements that are specified for your network. These policies may include both internally defined policies and industry requirements. Information Manager uses these policies to help to escalate events into incidents if a policy violation has occurred. See Planning tasks for event collection and archiving on page 33. Preparing the site and administration for deployment When you are deploying Information Manager, the physical environment must be prepared. Tasks that you must complete for this phase usually include the following: If you are using Symantec Consulting Services, you should prepare the facility and network for administrator-level access. For example, you should take into consideration whether or not distributed appliances or network topologies can be physically accessed if necessary, which servers such as the collector computers will need temporary administrator access, and who to contact for server administration. For example, if there is a firewall between the collector and the appliance, the firewall administrator must be available.

27 Preparing to deploy Information Manager About the planning phase 27 Establish a means of tracking changes on the network, including changes to the configuration of the Information Manager. Maintaining an audit trail when you fine tune Information Manager can be a critical step in preserving high availability. For example, if you use multiple administrators, each administrator needs to be aware of the changes to the rules and filters that the other administrators implement. If you would like alerting to be set up, you must provide an Internal relay system. Ports required for the initial deployment Information Manager uses a set of ports to communicate with various components and collectors. The ports that Information Manager needs to use during installation include the following: For more information on additional ports that may be used, see the Symantec Security Information Manager Administrator's Guide. Recommended third-party tools and technologies In addition to the tools that Information Manager provides through the console and Web Administration interface, there are several external tools that customers often find useful. Table 3-1 lists the third-party products that are occasionally used during deployment and subsequent tuning. Table 3-1 Name PuTTY.exe WinSCP.exe Third-party tools Version 0.52 or higher (Build 245) or higher Description Secure remote connection capability from management desktop to SSIM Appliance to execute required commands, etc. Secure remote connection capability from management desktop to SSIM Appliance for file copy, etc.

28 28 Preparing to deploy Information Manager About the installation phase Preparing to use the Information Manager Web Service Information Manager includes a standards-based Web Service interface that provides a means to extract raw data from an appliance. This data is used by developers to create custom applications that may meet the specific needs of customers. Developers who use the Web Service that is provided should be thoroughly familiar with Web Services development practices. Information Manager adheres to the standards made available through the W3C and OASIS organizations. Developers should be well-versed in the SOAP, WSDL, and WS-based standards, as well as UDDI specifications, before development is pursued. For more information on developing custom applications that use Information Manager data, see the Symantec Security Information Manager Developer's Guide. About the installation phase In addition to the standard installation procedures that are described in the Symantec Security Information Manager Installation Guide, there are a number of additional tasks that may be needed to complete the installation phase of deployment. Note: Many organizations roll out an Information Manager solution as a controlled pilot program before going live on the network. Using a pilot program is a recommended practice, as it helps administrators to tune Information Manager before the security of the network is potentially at risk. Installation phase tasks may include the following: During the operating system installation, it is helpful to keep a list of the elements that you have customized for your network. For example, the netmask, gateway IP addresses, DNS settings, and the name of the domain(s) that you create. Apply the most up-to-date Hotfixes and patches. Visit the support Web site or contact your Symantec representative for further information on acquiring the latest Hotfixes and patches. Install the current Information Manager console software on each computer that will have access to the console features. Set up a remote access card, if needed. Validate remote access and functionality of each device locally. If applicable, obtain a Global Intelligence Network license. Install any additional collector installation packages and register the collectors.

29 Preparing to deploy Information Manager About the configuration phase 29 Edit all /etc/host files as needed. See the Symantec Security Administrator's Guide for instructions and further information. Test connectivity to the remote devices and collector systems. For more information on many of these tasks, see the Symantec Security Information Manager Installation Guide or the Symantec Security Information Manager Administrator's Guide. About the configuration phase After you have completed the installation phase, you must configure Information Manager and the computers that interact with it. The configuration phase tasks often include the following: Configuring and updating the appliance Configuring the collectors Customizing Information Manager with your resource data Configuring and updating the appliance Configuring the collectors After you have performed the initial installation, you must update the appliance with the latest security data from Symantec. If necessary, you must also configure event forwarding. Tasks that you must complete for this phase usually include the following: Acquire the latest security data for each Symantec product using LiveUpdate. Configure each event forwarding device, if used. Register each event forwarding device with the event correlation appliance. Import and configure the Global Intelligence Network feed. To allow Information Manager to receive event data, you must configure the collector sensors. Tasks that you must complete for this phase usually include the following: Using the Information Manager console, configure each collector sensor. Validate that each collector is successfully sending event data to the appliance, and troubleshoot if necessary.

30 30 Preparing to deploy Information Manager About the tuning phase Customizing Information Manager with your resource data To allow Information Manager to correlate event data into meaningful analytical information, you must describe the physical and logical properties of your network. Tasks that you must complete for this phase usually include the following: Using the console, create the organizational units and user roles that are specific to your environment. Using the alerting capabilities provided, set up the appropriate physical notifications of important incident activity. For example, Information Manager can be configured to page the appropriate response team members. Using the Assets pane of the console, create or import a list of assets, assigning the Confidentiality, Integrity, and Availability (CIA) values as appropriate. Using the console, import and create the necessary policies, and then associate the policies with the relevant resources. See Specifying networks and systems on page 44. About the tuning phase After configuration is complete, live event data is presented in the Information Manager console. The administrator must carefully watch the flow of event data to identify bottlenecks and types of data that can be filtered. As incidents are generated, the administrator must evaluate whether the current configuration of rules, filters, assets, and roles is providing sufficient information. The tuning phase tasks often include the following: Analyze the event and incident data to identify anomalous behavior. Adjust the Global Intelligence Network feed as needed. Tune the Information Manager data retention settings. Customize the Information Manager maintenance configuration. Analyze and adjust where necessary the Information Manager system events. Identify and create event filters that can be implemented at the collector to reduce the number of false positives that are sent to the appliance. Customize the rules that are provided to match the needs of the customer environment. Create and baseline custom event queries. Create and baseline custom reports and verify their accuracy by comparing case studies of raw data with the displayed results.

31 Preparing to deploy Information Manager About the knowledge transfer and deliverable creation phase 31 Adjust the Information Manager dashboard to present the data that is most critical from an administrator's perspective. See Customizing correlation rules and filters on page 47. About the knowledge transfer and deliverable creation phase The knowledge transfer and deliverable creation phase includes creating a set of short, focused documentation that records the details of the deployment. In most cases, if an outbreak occurs, security analysts and administrators benefit from having a central information repository that contains a quick summary of the relevant deployment information. Administrators and analysts can use the Information Manager console to determine many of the details of the deployment. However, some pieces of information, such as the details on how and when Information Manager components where deployed, may not be readily visible. For example, having a record of which administrators were involved during installation and tuning may help to expedite incident resolution. To assist with this phase, the Symantec Security Information Manager Deployment Planning Guide includes a set of worksheets that you can use to create a written record of the deployment. It also includes a sample worksheet that demonstrates how you can track changes (change control) to the system as your environment evolves. See Installation tables on page 70. Although it is not a requirement, Symantec Consulting Services can provide this valuable service to customers who need customized assistance. The knowledge transfer and deliverable creation phase includes consultants providing additional guidance on the nuances of using Information Manager to the customer's greatest advantage. The consultant will provide guidance on where to find the information that is specific to the customer's environment, tips on maintaining and further tuning Information Manager as more data is available, and providing the relevant software and configuration documents. In addition, the consultant may also discuss areas that have been identified as future needs related to collector deployment and Information Manager scaling as the network changes.

32 32 Preparing to deploy Information Manager About post-deployment optimization About post-deployment optimization In addition to the deployment stages, after the deployment is completed an additional optimization phase begins. The post-deployment optimization phase involves further customizing Information Manager to meet the informational needs of your security analysts. As the network grows and the types of attacks evolve, you must adjust Information Manager to accommodate the changes to the security environment. For example, the administrator will need to fine tune the event flow and incident creation processes as they evaluate the new kinds of security threats that arise. Although this stage is not part of the initial deployment, it should be accounted for during the planning and resource estimation phase. For more information on post-deployment tasks, see Symantec Security Information Manager Administrator's Guide.

33 Chapter 4 Planning for event collection and archiving This chapter includes the following topics: Planning tasks for event collection and archiving Event collection and archive planning considerations How to estimate the event generation rate About filtering and aggregating events at the event collector About event archive filters How to estimate event archive storage requirements Event data retention compliance options About multiple event archives Event collection and archiving checklist Planning tasks for event collection and archiving Information Manager's event collection and archiving features help you to comply with regulatory policies. Information Manager stores security events in a compressed archive format that maximizes capacity and accessibility. For optimal event collection and archiving, you should complete the following planning tasks: Estimate the number of events that are generated per second by the security products in your environment.

34 34 Planning for event collection and archiving Event collection and archive planning considerations Estimate the percentage of the security events that can be filtered or aggregated at the event collector. Estimate the percentage of security events that are required for correlation purposes only. Estimate the percentage of events that must be archived. Determine the length of time that events must remain in an archive before they can be purged or moved to long-term storage. With this information, you can plan the event handling and archiving aspects of your Information Manager deployment. In some cases, a single Information Manager system will satisfy your event collection, archiving, and correlation requirements. In many cases, such as in an environment with significantly long data retention requirements, you may choose to add storage devices to an Information Manager or to distribute the collection, archiving, and correlation of events across multiple Information Managers. Event collection and archive planning considerations When you are planning for data collection and retention, consider the following factors: Which security products are deployed in your enterprise and which events should be collected for archival purposes? You may need to archive some events to comply with industry regulations, and other events for internal security monitoring purposes. Do you need to archive all event data? Does the event data need to be stored in its original format? For how much time do you need immediate access to the data for report generation or incident investigation? You may need to archive all event data, or you may need to archive only high-priority or high-severity events. Information Manager normalizes event data to provide cross-product event correlation. However, you can configure Information Manager to store event data in the format in which it was originally collected. The amount of data that you need to have readily accessible dictates the amount of storage that you require for the Information Manager event archives.

35 Planning for event collection and archiving How to estimate the event generation rate 35 Does all event data share a single retention requirement? For example, must the firewall data and the intrusion detection data be retained for the same duration? Should the security events remain in a single logical location for maintenance purposes? If the event retention requirements vary based on the event source or the event priority, consider storing events with similar retention requirements in the same archive. For example, in a multiple Information Manager deployment, you can forward all high-priority events to an Information Manager with an event archive that retains data for 3 months. You can then forward all low-priority events to an archive that is purged each week. Multiple Information Managers can be configured to archive events to the same storage area network (SAN). In which case, you can manage all of the Information Manager data from a single device. Do you require redundant security data? If you need to store multiple copies of the event data, consider forwarding events for storage in multiple event archives. Each archive can be maintained separately so that a single point of failure is eliminated. You can customize your Information Manager deployment in response to changes in your data collection and retention requirements. You can add Information Managers to collect data from additional security products. You can also add attached storage to accommodate the increase in the number of events. How to estimate the event generation rate To estimate the rate at which events will be sent to Information Manager, you can audit the events that you intend to collect. Events can originate from a variety of enterprise sources, including firewalls, enterprise antivirus, vulnerability scanners, and intrusion detection products. For each security product or device, monitor the event data for one week to estimate the following rates: The average number of events per second that the product or device generates The average number of events per second that the event collector can filter or aggregate The final event rate, as the result of subtracting the filtered and aggregated events from the generated events

36 36 Planning for event collection and archiving About filtering and aggregating events at the event collector The result of adding the final event rates for each device yields the total number of events per second that are sent to Information Manager for correlation and archiving. Note: When you are estimating the event rates, be sure to account for planned, as well as current, event sources. About filtering and aggregating events at the event collector To minimize event collection network traffic, you can filter or aggregate events at the event collector. Event filtering identifies and discards false positives or other unwanted events. Event aggregation consolidates multiple similar or redundant events into a single event that includes the aggregate count. Aggregated events cannot be decompressed into their original event states. Note: When you evaluate events for potential filtering or aggregation, you should verify that your policies do not require that the individual events be retained in the archive. Table 4-1 describes general filtering and aggregation guidelines for security device types. Table 4-1 Device type Test networks Firewall Filter and aggregation guidelines Filter and aggregation guidelines Test networks can generate security events that do not indicate any actual threat. Consider filtering all events that originate from isolated test networks. Firewalls generate the majority of all enterprises' security events. Typically, you can filter connection-dropped events, and you can aggregate events for which the source port and the target port are the same. In many environments, firewall events can be filtered and aggregated in a 5:1 ratio.

37 Planning for event collection and archiving About event archive filters 37 Table 4-1 Device type Enterprise Antivirus Filter and aggregation guidelines (continued) Filter and aggregation guidelines Enterprise antivirus systems customarily report a number of informational events for each protected system. You can consider filtering or aggregating the following types of events: Scan start and scan stop Scan start and scan stop events do not pose a security threat and can be filtered or aggregated. Virus repaired Virus repaired events indicate that the antivirus software is repairing infected systems. If there are infections in your environment that are commonly repaired, consider aggregating virus-repaired events by the virus name. Vulnerability Intrusion Detection and Prevention Windows Event Log Typically, all vulnerability scan events should be sent to Information Manager for correlation. Assuming that the IDS and IPS systems are properly tuned, all intrusion detection and intrusion prevention events should be sent to Information Manager for correlation. The Windows Event Log stores both operating system events and application events. Because each Windows system may have different applications installed, filtering and aggregation should be based on specific event and application criteria. Consider filtering or aggregating the following types of events: Application Some applications can generate an excessive number of informational and warning events. These events can be filtered or aggregated based on the specific event source and event identifier. System Some system event sources, such as the Service Control Manager, generate many informational events. These events can be filtered or aggregated based on the event source and identifier. For more information about filtering and aggregating events, see the Event Collector Integration Guides and the Symantec Security Information Administrator's Guide. About event archive filters You can configure Information Manager to archive events by using the value of one or more event fields. For example, you can archive events based on the source

38 38 Planning for event collection and archiving How to estimate event archive storage requirements IP or the severity. If an event satisfies the filter criteria, Information Manager stores the event in the archive. If you do not configure an archive filter, Information Manager archives all events. Events that are not stored in the archive are still available for correlation and forwarding. For example, you can configure Information Manager to exclude antivirus start and stop events from the archive, because the uncorrelated data is not particularly useful. However, you can configure the correlation manager to monitor those events and to generate an incident if the start and stop event sequence indicates that the antivirus application has been disabled. How to estimate event archive storage requirements To determine if a single Information Manager is sufficient to contain the event data that you plan to store, gather the following information: The total number of events to be stored in the archive per day The length of time that the data must reside in the archive before it can be purged or moved to offline storage You can calculate the total archive storage as the product of the event storage and event retention, where: archive K = #events/day *.5K (average event size) * #days retained Contact your Symantec representative for the latest Information Manager sizing tools. Note that the average event size may vary significantly depending on each environment. Event data retention compliance options You can deploy Information Manager to collect and archive data for regulatory compliance purposes. You can customize the deployment to increase the attached storage or to distribute event archives across multiple Information Managers. If the amount of data that needs to be retained exceeds the available archive space, you can attach additional event archive storage. Table 4-2 describes the Information Manager data retention options.

39 Planning for event collection and archiving Event data retention compliance options 39 Table 4-2 Storage solution Multiple event archives Information Manager data retention options Description You can use multiple appliances to filter and store different types of event data depending on your data compliance requirements. Using the Information Manager console, you can configure each appliance to filter the events that are archived on each appliance based on the criteria you choose. For example, your data retention policies may require that certain types of event data must be kept for long term storage. Other types of data may be useful from an administrative perspective, but long term storage of this data not necessarily required for compliance. In this simplified case, you could configure one appliance to store only event data that is required to be kept for a longer term, and a second appliance that stores and purges non-critical event data on a shorter cycle. Local event archives You can copy event archives from an Information Manager appliance to another computer, and then you can access these archives through the Information Manager console. Since Information Manager purges event data according to the settings you choose, copying critical data to an external computer is recommended if your compliance policies require permanent data retention. For information on creating and accessing local event archives, see the Symantec Security Information Manager Administrator's Guide. Direct Attached Storage (DAS) Symantec Security Information Manager includes support for external data storage on a direct attached storage device. The Symantec Direct Attached Storage D10 device (DAS) contains 15 disk drives in a RAID-5 configuration, providing approximately 4.5 terabytes of raw storage for event data. Although DAS devices other than the Symantec Direct Attached Storage D10 can be used, the D10 is the only device that Symantec has tested with Information Manager. You can attach storage as needed to scale a single event archive up to 4 terabytes (TB). If you decide to use a third-party DAS device, make sure that it meets the following requirements: Configured as RAID-5 Uses the drivers for Red Hat E4 Uses the SCSI adapters that support PCIe Supported by the Dell 1950 or 2950 platform (Information Manager 9600-series appliance)

40 40 Planning for event collection and archiving About multiple event archives Table 4-2 Storage solution Network Attached Storage (NAS) Storage Area Network (SAN) Information Manager data retention options (continued) Description You can use a Network Attached Storage device for event archiving. For information on creating and accessing event archives using a Network Attached Storage device, see the Symantec Security Information Manager Administrator's Guide. You can use a Storage Area Network for event archiving. If you locate the event archives on a SAN, multiple Information Managers can write to the same device. For information on creating and accessing event archives using a Storage Area Network, see the Symantec Security Information Manager Administrator's Guide. About multiple event archives To increase the total archive storage, you can deploy multiple Information Managers. You can configure each Information Manager to archive events locally and then forward the events to a central Information Manager for correlation. When you off-load the event archiving, and configure an Information Manager for correlation only, the correlation EPS can be increased significantly. In a multiple Information Manager deployment, you can also configure different purge settings for each archive, and you can forward specific events to a particular archive. You can selectively forward events to minimize event traffic between Information Managers. For example, you can configure an Information Manager to store all events locally for forensic purposes. You can then forward only high-severity events to a separate correlation Information Manager. For more information about configuring event forwarding, see the Symantec Security Information Manager Administrator's Guide. Event collection and archiving checklist You can use the following checklist to plan for event collection and archiving: Estimate event rates for all the devices that you intend to monitor. Account for increases in network utilization and the integration of additional event collectors.

41 Planning for event collection and archiving Event collection and archiving checklist 41 Configure event collector filtering and aggregation, selective event forwarding, and event archive filters to reduce event network traffic and archive storage requirements. Ensure that event collectors have authorized access to the event sources. For example, the Event Manager for AV state plug-in requires access to the Windows registry. See the Event Collector Integration Guides for details. Ensure that the event collectors can communicate with Information Manager. Open the necessary ports, obtain certificates (self-signed or from a certificate authority), and resolve any network address translation (NAT) issues. Do monthly audits on the database to determine if there are any events to which an event collector or archive filter can be applied.

42 42 Planning for event collection and archiving Event collection and archiving checklist

43 Chapter 5 Planning for event correlation and incident management This chapter includes the following topics: Event correlation planning tasks Event correlation considerations Specifying networks and systems About vulnerability scanners Customizing correlation rules and filters Event correlation checklist Event correlation planning tasks To ensure that Information Manager accurately identifies and prioritizes security incidents in your environment, complete the following tasks: Identify the critical networks and systems in your environment. Identify any of the policies that are associated with the systems in your environment. Perform vulnerability scans on your network. Determine which events are required for correlation purposes. Determine which correlation rules are necessary for the security events and systems in your environment.

44 44 Planning for event correlation and incident management Event correlation considerations With this information, you can configure Information Manager to correlate the security events with the assets in your environment. Event correlation considerations When you are planning for event correlation, consider the following factors: Which security events should be correlated? What is the event archiving rate at the Information Manager? Can the event data be correlated at separate Information Managers? High-priority events are customarily correlated and archived. The event collector can use a filter to exclude certain informational events from the correlation engine. You can optimize the correlation manager performance by reducing the number of events that it must inspect. Using the Information Manager console, you can monitor the performance of the appliance. If the typical sustained event archiving rate at the Information Manager appears to be causing performance degradation, consider off-loading the event archiving to an alternate Information Manager. Off-loading the event archiving can increase the correlation throughput significantly. In a large deployment, it may be necessary to distribute correlation processing across multiple Information Managers. You can configure collection Information Managers to forward classes of events to particular Information Managers for correlation. You can configure the destination correlation Information Managers to test only those correlation rules that pertain to the types of events that they receive. Specifying networks and systems You must specify the networks and critical systems in your environment so that the correlation manager can recognize security incidents. Proper configuration allows Information Manager to assign incident priorities that are based on target system attributes. For each network, specify the following attributes:

45 Planning for event correlation and incident management Specifying networks and systems 45 Network name Subnet mask Physical location Logical location You can create correlation rules and filters that trigger based on the name of a network. For example, if you have a network that is dedicated to software testing, you could use the network name as part of a rule that filters harmless traffic that is generated on that network. The correlation manager uses the subnet mask to identify systems on the network and to distinguish between internal and external network traffic. The subnet mask is specified in Classless Inter-Domain routing (CIDR) notation. You can create correlation rules that trigger based on a particular network physical location. You can create correlation rules that trigger based on a particular network logical location. In a large enterprise deployment, you should identify DNS, Web, mail, file, and database servers. You should also identify the systems that host network scanning applications. For each critical system, define the following characteristics: Operating system type Machine identifiers System services You can create rules that trigger based on a particular operating system. The correlation manager recognizes machines by one or more of the following identifiers: IP address, host name, distinguished name, or MAC address. The correlation manager identifies legitimate open ports and network traffic by tracking the services, such as FTP or SMTP, that are running on the system. You can add services to a system manually, or you can populate the services list with information from a vulnerability scanner. Confidentiality, integrity, and availability (CIA) ratings The correlation manager uses the CIA ratings to calculate the priority of the incidents that are related to the system. See About CIA ratings on page 46. Regulatory policies The correlation manager recognizes infractions of well-known policies, such as Sarbanes-Oxley or HIPAA. You can use one or more of the following options to configure the network and system information: Configure the networks and systems individually.

46 46 Planning for event correlation and incident management Specifying networks and systems Import the information from a CSV file (such as one exported from Active Directory). Integrate Information Manager with a vulnerability scanner. Add a system when Information Manager associates an incident with the system. It is important that you identify not only the critical systems, but also any noncritical systems that generate many events. The identification and rating of noncritical systems prevents the creation of unwanted incidents. For more information about specifying networks and systems, see the Symantec Security Information Manager Administrator's Guide. About CIA ratings About policies The correlation manager uses the Confidentiality, Integrity, and Availability (CIA) ratings of a system to calculate the priority of the incidents that are related to the system. The confidentiality rating indicates the sensitivity of the information that is hosted on the system. You should rate the confidentiality of systems that host sensitive information, such as personnel data, higher than the confidentiality rating for the systems that host public information. The integrity rating indicates the impact of unwarranted modifications to the information that is hosted on the system. You should rate the integrity of systems that host critical information, such as accounting data, higher than the integrity rating of the systems that host less important data. The availability rating indicates the negative impact of unscheduled system outages. You should rate the availability of systems that have strict up-time standards higher than the availabilty rating of the systems that host noncritical applications. For example, an e-commerce Web site likely requires a higher availability rating than an internal-only application server. The correlation manager triggers certain rules according to the specific confidentiality, integrity, and availability ratings that are assigned to the target system. You can customize the correlation rules or the CIA ratings to make sure that the rules trigger at the appropriate threshold. The Information Manager correlation manager can create incidents that are related to policy infractions. When you configure a system, you should specify every policy that applies to the system. You can select from a list of well-known

47 Planning for event correlation and incident management About vulnerability scanners 47 regulatory policies, or you can create custom policies that reflect your internal standards. The priority of the incidents that are related to an asset is affected by the the association of a policy with the asset. For example, if an attack on port 80 targets a system with a Web server policy, Information Manager assigns a high priority to the incident. If the target system does not have the Web server policy, Information Manager assigns a low priority to the incident. About vulnerability scanners You can use vulnerability scanners to populate your network and system asset information. For a current list of vulnerability scanners that are supported, see the support Web site: When you run a vulnerability scan, the event collector sends one or more events for each system that is scanned. Information Manager populates the asset tables with the scan data and includes information about any vulnerabilities that were detected. To create security incidents that are related to vulnerabilities, you can create correlation rules that are triggered when an attack exploits these vulnerabilities. For information about correlating vulnerabilities and exploits, see the Symantec Security Information Manager Administrator's Guide. Customizing correlation rules and filters Information Manager has a default set of correlation rules that are used to identify antivirus, firewall, intrusion detection, and policy compliance security incidents. Information Manager also includes a set of event filters that filter the security events that do not indicate a potential threat. Filtering helps to reduce the number of false-positives that must be evaluated. As global threats and vulnerabilities are discovered, the Threat and Vulnerability Management service updates the information on which the rules are based. For example, when the Threat and Vulnerability service updates the IP watch list, Information Manager automatically recognizes attacks originating from the newly suspicious IP addresses. You can customize the correlation rules and filters based on the security event traffic in your environment. For example, you can customize a virus outbreak rule by fine-tuning the number of viruses that must be reported to constitute an outbreak. You can also create new rules to support the security policies in your

48 48 Planning for event correlation and incident management Event correlation checklist environment. For example, you can create custom rules to recognize internal policy infractions. For information about customizing and creating rules, see the Symantec Security Information Manager Administrator's Guide. Event correlation checklist You can use the following checklist to plan for event correlation: Identify and rate the networks and systems that you intend to monitor. Identify which policies are in effect in your environment; create new policies as required. Schedule periodic vulnerability scans on your network to update the asset information. The frequency is unique to each environment. In some cases, a daily scan is performed on critical systems. In other cases, a weekly scan may be performed. Perform monthly audits of your networks and systems. Identify any new, modified, or defunct systems and adjust the CIA ratings and policy assignments accordingly. Keep the IP watch list and sensitive file list up-to-date with any customizations that are required for your environment. Review the incidents that the correlation manager creates. Fine-tune the incident generation by adjusting the event filtering and the asset CIA ratings.

49 Chapter 6 Planning for administration This chapter includes the following topics: Administration planning tasks About subdomains About creating and assigning roles About administrative roles About event monitoring and incident management roles Administration checklist Administration planning tasks You can customize administrative and monitoring access to the Information Manager console. When you deploy Information Manager, you must determine which individuals in your organization require access to Information Manager, and for what purposes. Complete the following planning tasks: Determine if your organization requires Information Manager subdomains to support any existing organizational divisions. Identify the users that require full domain, or subdomain, administrative privileges. Identify the individuals or teams in your organization that require access to the Information Manager console. Identify the set of console tasks that each individual or team must perform. With this information, you can create the necessary domains, organizational units, and roles.

50 50 Planning for administration About subdomains About subdomains If Information Manager is deployed in a decentralized organization, you can define the subdomains that correspond to each division. Subdomains are well suited for organizations in which each administrator requires full autonomy over an area of responsibility. For example, an administrator may manage exclusively a geographic region or an entire line of business. You can create a subdomain during Information Manager installation by specifying the domain name in child.parent notation. For example, a company that is called Evergreen might be organized into three geographic regions: Asia, Europe, and the United States. You could create one subdomain for each geographic region, as shown here: Asia Europe United States as.evergreen eu.evergreen us.evergreen Each subdomain has a complete set of Information Manager objects, such as roles, users, notification services, and reports. These objects are under complete control of the subdomain administrator. The domain administrator has access to all subdomains and can configure cross-subdomain event forwarding and can grant cross-domain privileges to users. About creating and assigning roles To grant or restrict access to the Information Manager console features, domain administrators can create the roles that define specific permissions and capabilities. Each role pertains to either the Information Manager system or to one of the integrated event collectors. Within the role definition, domain administrators can grant access to all component features, or they can segregate administrative and monitoring capabilities. If a user requires access to multiple components, such as multiple event collectors, the domain administrator can assign multiple roles to the user. When you create an Information Manager domain or subdomain, you assign one or more users to the Domain Administrator role. Domain administrators have full access to the Information Manager systems and the event collectors that are installed in the domain. Only domain administrators can access the Web configuration tools and create new roles.

51 Planning for administration About administrative roles 51 Depending on the types of Information Manager console users, the domain administrator may need to define the following types of roles: Roles that provide Information Manager and event collector administrative capabilities Roles that provide event monitoring, incident management, and ticket management capabilities For information about how to create and assign roles, see the Symantec Security Information Manager Administrator's Guide. About administrative roles The domain administrator can create roles specifically for users who are responsible for Information Manager and event collector administrative tasks. Typically, an Information Manager administrator has access to the following console tasks: Create and modify organizational units. Configure networks and assets. Create and modify correlation rules and filters. Configure event forwarding. Configure archive filters. Manage updates from the Global Intelligence Network. The domain administrator can also create roles for users who are responsible for administering event collectors. Event collector administrators typically have permissions to create, modify, and distribute event collector configurations. The domain administrator can customize event collector administrative roles to grant access to the event collectors that are in specific organizational units. About event monitoring and incident management roles The domain administrator can create monitoring roles that allow access to the Information Manager event and incident data but do not allow configuration capabilities. Typically, a user in a monitoring role can perform one or more of the following tasks: View event archives.

52 52 Planning for administration Administration checklist View specific reports or groups of reports. Create reports. Generate reports. View incidents. Assign incidents. Administration checklist You can use the following checklist to plan for Information Manager administration: Determine your domain naming convention before installing your initial Information Manager. Assign the Domain Administrator role to the users who need to create roles. As you integrate Information Manager with new event collectors, create and assign the required administrative and monitoring roles. As you modify help desk or incident response teams, create and assign the required roles. As you expand the Information Manager domain, create and assign administrative roles for the new organizational units that you add.

53 Chapter 7 Deployment examples This chapter includes the following topics: Deployment scenarios overview Integrated security management scenario overview Event correlation scenarios overview Deployment scenarios overview Symantec Security Information Manager gathers and presents the event data that business owners and administrators need to monitor and protect network resources. Information Manager can be customized to meet the needs of each environment, from small businesses that operate relatively few end points to large enterprises that administer intertwined global networks. The scenarios in this section are provided as a snapshot of common environments in which Information Manager is deployed. Each customer environment will vary considerably, but the deployment principles that are illustrated in the examples should help you to gain a better understanding of the tasks that will likely need to be considered. The scenarios are organized according to tasks that are commonly accomplished with Information Manager. These tasks are common to businesses of any size, and could be scaled accordingly. Integrated security management scenario overview In this scenario, the security administrator is tasked with identifying and resolving antivirus and firewall security incidents. The administrator must implement the following security policies: Manage and monitor all antivirus activity. The administrator needs to create specific reports to track the overall antivirus security posture.

54 54 Deployment examples Integrated security management scenario overview Reduce the response time for antivirus incidents to a single day. Over 80% of the security incidents that are reported in the organization are related to antivirus issues. Track critical events from the Cisco PIX and Juniper NetScreen firewalls at a central location. To satisfy the requirements, the security administrator deploys Information Manager with event collectors for the antivirus, firewall, and vulnerability scanning products in the enterprise. To reduce the incident resolution time, the administrator automates the remediation of virus incidents by assigning trouble tickets to a staff of antivirus technicians. To begin planning the deployment, the network administrator needs to complete the following tasks: Estimate the event traffic and storage requirements for the antivirus and firewall events. Identify the antivirus and firewall correlation rules that need to be customized. Identify the console tasks that should be performed by firewall and antivirus technicians. Antivirus and firewall and event traffic To estimate the event traffic, the security administrator reviews the deployment of the antivirus and firewall products. Symantec AntiVirus The organization's enterprise antivirus configuration is as follows: 14,000 managed Symantec AntiVirus clients in the New York office 16,000 Symantec AntiVirus clients in the Los Angeles office 5 parent servers managing the clients in New York 7 parent servers managing the clients in Los Angeles 2 primary servers, one in New York and one in Los Angeles In this configuration, the clients report state and event log information to the parent servers. Client state information includes the virus definition version, the time of the last virus scan, and the time of the last checkin with the parent server. Client event logs store information about any viruses that are detected on the client, and if the virus was removed or quarantined. The parent servers maintain the state information locally and forward the event log information to the primary servers.

55 Deployment examples Integrated security management scenario overview 55 Each of the 30,000 antivirus clients report a maximum of 50 events per day. Of these 50 events, 30 can be considered informational and consequently filtered by the event collector. The remaining 20 events per day, multiplied by 30,000 clients, results in a total event rate of 600,000 events per day. This equates to approximately 7 events per second. PIX and Netscreen firewalls The organization has six PIX firewalls and two Netscreen firewalls. each of which generate approximately 15GB of event log data per day. The administrator estimates that each raw firewall event is 1K, and then concludes that the average firewall event generation rate is 175 events per second. The eight firewalls are expected to generate an unfiltered event stream of approximately 1500 EPS. An inspection of the firewall log data reveals that one-third of the events from two of the firewalls originate from test networks in the organization. The firewall event collectors can be configured to filter these events, thus reducing the overall rate to under 1300 EPS. Network and asset identification Correlation rules and filters The BindView vulnerability scan is run once a week and reports inventory and vulnerability information for all systems on the network. To ensure that the correlation manager recognizes any threats to the enterprise antivirus system, the administrator should assign high confidentiality, availability, and integrity ratings to the primary servers, the parent servers, and the LiveUpdate virus definition server. To ensure that the correlation manager identifies antivirus incidents and security policy infractions, the administrator must customize the correlation rules as follows: Update the default antivirus outbreak rule to recognize a virus outbreak when more than 100 irreparable virus events are reported within a 10-minute period. Add a correlation rule to create an incident when a computer reports more than 3 virus infections per day. Add a correlation rule to create an incident when a computer does not contact a parent server for one week or more. Add a correlation rule to create an incident for failure to update virus definitions within a week.

56 56 Deployment examples Integrated security management scenario overview Add a correlation rule to track application start or stop events. If an application start or stop event is detected, create an incident when the AntiVirus application has been stopped, and not restarted, for a week or more. Administrative and monitoring roles The administrator needs to identify the users in the organization who require access to the Information Manager console. The console users include the individuals responsible for enterprise antivirus monitoring and management: antivirus managers, technicians, report developers, and report generators. To support these users, the administrator needs to create the following roles: Antivirus manager Antivirus managers need access to administrative tasks for components within their New York or Los Angeles organizational units. Antivirus managers create and assign incidents to antivirus technicians. Antivirus technician Antivirus report developer Antivirus report generator Antivirus technicians need access to summary and detailed event, incident, and alert data. Antivirus technicians can modify incident status and add incident resolution information. Antivirus report developers need access to enterprise-wide antivirus event data. Antivirus report developers need permissions to create and customize antivirus reports. Antivirus report generators need permissions to view and generate reports in specific report groups. Note: To create roles, the antivirus administrator must be assigned to the Domain Administrator role. About installation and configuration To implement the planned deployment, the administrator must configure the Information Manager appliance and install and configure the Event Manager for AntiVirus.

57 Deployment examples Integrated security management scenario overview 57 About Event Manager for AntiVirus installation and configuration To collect the necessary antivirus security information, the administrator needs to install Event Manager for AntiVirus on the primary servers and on the parent servers. Event Manager for AntiVirus has two installation components: the log collector and the state collector. The log collector is installed on the two primary servers, and configured to collect and filter events. The log collector requires read-access to the log files. The state collector is installed on each of the parent servers and configured to collect individual and summary state information. The state collector requires access to the Windows registry of the parent server. The administrator creates a distribution package to install the state collector and update the configuration files. For more information about installing and configuring Event Manager for AntiVirus, see the Symantec Event Manager for Antivirus for Symantec AntiVirus Integration Guide. About firewall event collector installation and configuration Note: You many need to configure the PIX firewalls to adjust the log reporting level. Deployment summary For more information on configuring the Cisco PIX event collector, see the Symantec Event Collector for Cisco PIX Integration Guide. The following checklist summarizes the deployment steps:

58 58 Deployment examples Integrated security management scenario overview Information Manager Register the Event Manager for AntiVirus collector Add the New York and Los Angles organization units Add the primary, parent, and live update servers to the asset list Create the roles for the antivirus manager, technician, report developer, and report generator Add the antivirus manager, technician, report developer, and report generator users to the appropriate organizational units Configure correlation rules to recognize antivirus policy infractions Install the Cisco PIX event collector Configure the PIX event collector syslog source Configure the PIX event collector to filter the events that originate from test networks Configure the appliance to exclude all informational events that originate from the collection appliance (option). Configure the event and incident purge schedule For information about how to install Event Manager for Antivirus, see the Symantec Event Manager for Antivirus for Symantec AntiVirus Integration Guide. For information about how to configure Information Manager, see the Symantec Security Information Manager Administrator's Guide. Symantec AntiVirus parent servers Install the Event Manager for AntiVirus state collector Configure the state collector to report both client and summary state information Symantec AntiVirus primary servers For information about how to install and configure the Event Manager for Antivirus state collector, see the Symantec Event Manager for Antivirus for Symantec AntiVirus Integration Guide. Install the Event Manager for AntiVirus log collector Configure the log collector to filter information events For information about how to install and configure the Event Manager for Antivirus log collector, see the Symantec Event Manager for Antivirus for Symantec AntiVirus Integration Guide. Reports The security policy requires that the following types of reports are available: Current client count by product version Current client count by virus definition version Current client count by parent server

59 Deployment examples Event correlation scenarios overview 59 Current clients with virus definitions that are outdated by 3 days, one week, or one month Top ten viruses that are found daily, weekly, and monthly Total number of viruses that are found daily, weekly, and monthly Top ten viruses that are repaired daily, weekly, and monthly Total number of viruses that are repaired daily, weekly, and monthly Event correlation scenarios overview In these scenarios, the security administrator will deploy Information Manager primarily to identify security incidents. The administrator has the following requirements: Events from all security devices in the enterprise must be correlated. The deployment must scale to support the integration of a new subdivision within the quarter. The security administrator has audited the events that are generated by all of the security devices, and estimates that Information Manager will need to correlate 5,000 events per second (EPS). The integration of the new subdivision is expected to generate an additional 2,000 EPS. The scenarios in this section are divided into a two appliance configuration and a three appliance configuration. Distributing Information Manager processing using two appliances The 7,000 EPS correlation rate exceeds the overall processing rate for a single Information Manager. To increase the overall correlation rate, the administrator will deploy two Information Manager appliances, one to collect events, and the other to correlate and archive the events and track incidents. Configuring the correlation Information Manager In this scenario, the correlation Information Manager correlates events, hosts the directory service, archives events, and manages the incident, ticket and asset database. The security administrator uses the Information Manager console to configure an appliance to focus on event correlation. In this case, the administrator specifies the following settings for the correlation appliance on the System page:

60 60 Deployment examples Event correlation scenarios overview Under Correlation, Correlation Appliance is checked. Under Archiving, Archiving Enabled is checked. Using the Event Criteria section for Archiving, the administrator creates an archiving filter based on the Severity ID. If the Severity ID is greater than 2 - Warning, the event is archived. The administrator will monitor which events are archived and adjust the filter by adding criteria as necessary. Under Event Routing, Correlation Forwarding is enabled. Enabling Correlation Forwarding on the correlation appliance ensures that if any security events are targeting the correlation appliance, the events are passed into the engine for correlation. Under Event Forwarding, the Correlation Manager port is selected, and the localhost address is used ( by default). The changes are then applied by clicking Apply. Configuring the collection Information Manager The collection Information Manager collects and then selectively forwards events to the correlation Information Manager. After the appliance has been installed and is registered with the Information Manager directory, the collection appliance is configured to focus on event collection and forwarding. In this case, the administrator specifies the following settings for the collection appliance on the System page: Under Correlation, Correlation Appliance is unchecked. Under Archiving, Archiving Enabled is unchecked. Using the Event Criteria section for Correlation Forwarding, the administrator creates an event filter that excludes a known false positive. In this case, the administrator knows that the RealSecure product that is used incorrectly identifies activity from the firewall monitoring tool as Smurf Attack traffic. The filter uses the Vendor Signature field to exclude events with a vendor signature smurf_attack. Under Event Routing, Correlation Forwarding is enabled. Under Correlation Forwarding, the administrator uses the Event Forwarding Configuration fields to specify the Host name of the correlation appliance. The port used is the Correlation Manager port. The changes are then applied by clicking Apply.

61 Deployment examples Event correlation scenarios overview 61 Distributing Information Manager processing using three or more appliances To support scaling over time, the administrator has chosen to deploy three separate appliances. This approach should greatly improve the event processing capacity and will provide continuous availability as the network expands. Each appliance will be used for a specific portion of the event handling process: one appliance to collect events, one to archive the events, and a third to correlate the events and track incidents. Configuring the collection Information Manager The collection Information Manager collects and then selectively forwards events to the correlation Information Manager. After the appliance has been installed and is registered with the Information Manager directory, the collection appliance is configured to focus on event collection and forwarding. In this case, the administrator specifies the following settings for the collection appliance on the System page: Under Correlation, Correlation Appliance is unchecked. Under Archiving, Archiving Enabled is unchecked. Using the Event Criteria section for Correlation Forwarding, the administrator creates an event filter that excludes a known false positive. In this case, the administrator knows that the RealSecure product that is used incorrectly identifies activity from the firewall monitoring tool as Smurf Attack traffic. The filter uses the Vendor Signature field to exclude events with a vendor signature smurf_attack. Under Event Routing, Correlation Forwarding is enabled. Under Correlation Forwarding, the administrator uses the Event Forwarding Configuration fields to specify the Host name of the archiving appliance. The archiving appliance will aggregate the data necessary and forward events to the correlation appliance. The port used is the Event Service port. The changes are then applied by clicking Apply. Configuring the archiving Information Manager In this scenario, the correlation Information Manager archives and then forwards events for correlation. The security administrator uses the Information Manager console to configure an appliance to focus on archiving events and then forwarding events to the

62 62 Deployment examples Event correlation scenarios overview correlation appliance. In this case, the administrator specifies the following settings for the archiving appliance on the System page: Under Correlation, Correlation Appliance is unchecked. Under Archiving, Archiving Enabled is checked. Using the Event Criteria section for Archiving, the administrator creates an archiving filter based on the Severity ID. If the Severity ID is greater than 2 - Warning, the event is archived. The administrator will monitor which events are archived and adjust the filter by adding criteria as necessary. Under Event Routing, Correlation Forwarding is enabled. Under Correlation Forwarding, the administrator uses the Event Forwarding Configuration fields to specify the Host name of the correlation appliance. The archiving appliance will aggregate the data necessary and forward events to the correlation appliance. The port used is the Correlation Manager port. The changes are then applied by clicking Apply. Configuring the correlation Information Manager In this scenario, the correlation Information Manager correlates events, hosts the directory service, and manages the incident, ticket and asset database. The security administrator uses the Information Manager console to configure an appliance to focus on event correlation. In this case, the administrator specifies the following settings for the correlation appliance on the System page: Under Correlation, Correlation Appliance is checked. Under Archiving, Archiving Enabled is unchecked. Under Event Routing, Correlation Forwarding is enabled. Enabling Correlation Forwarding on the correlation appliance ensures that if any security events are targeting the correlation appliance, the events are passed into the engine for correlation. Under Event Forwarding, the Correlation Manager port is selected, and the localhost address is used ( by default). In this scenario, configuring the correlation appliance to forward events to the correlation engine will ensure that if a collector has been configured to send events directly to the correlation appliance (in some cases, by accident), that these events are also correlated. In general, all valid events should be routed to the archive before they are sent to the correlation engine. The changes are then applied by clicking Apply.

63 Deployment examples Event correlation scenarios overview 63 Adding additional collection appliances In this scenario, new appliances can easily be added as collection appliances. By dividing the Information Manager collecting, archiving, and correlating tasks between multiple appliances, the archiving and correlation appliances can manage event data from multiple collection appliances. Each new collection appliance should be configured to send the data to the Archive appliance first, which will in turn forward the events to the correlation appliance. Sending event information directly to the correlation appliance (bypassing the archiving appliance) is not supported, and prevents the event details from being displayed if an incident is created.

64 64 Deployment examples Event correlation scenarios overview

65 Appendix A Deployment planning tools This appendix includes the following topics: Estimation worksheets Deployment planning checklists Installation tables Information Manager configuration tables Estimation worksheets The following guidelines and worksheets are provided to help you determine the size of your Information Manager deployment: Event and incident rate examples Event rate worksheet Event archive storage worksheet Contact your Symantec representative for the latest Information Manager sizing tools. Event and incident rate examples Event and incident rate examples are provided for estimation purposes only. Factors such as enterprise size, geographic layout, and network speed may cause your rates to differ from those presented here. Table A-1 shows some examples of typical daily event and incident rates for security devices.

66 66 Deployment planning tools Estimation worksheets Table A-1 Device type Network Firewall Network IDS/IPS Host IDS/IPS Client AV/firewall Server AV Event and incident rate examples Events/day 300, ,000 1,000-5, Incidents/day Event rate worksheet You can use an event rate worksheet to estimate the cumulative events per second that are generated by the security devices that you intend to monitor. When you specify the number of events per day for each device, take into consideration any reductions in the event rate due to filtering or aggregation at the event collector, or event exclusion at the Information Manager. Table A-2 shows a typical event rate worksheet. Table A-2 Event rate worksheet Device type # devices events/day events/day all devices events/sec all devices Network Firewall Network IDS/IPS Host IDS/IPS Client AV/ Firewall Server AV Domain Controller HTTP Server VPN Server SOCKS Server Total

67 Deployment planning tools Estimation worksheets 67 You can calculate the total events per day and the total events per second as follows: For each device type, enter the number of devices and the number of events per day, per device. For each device type, calculate the events per day for all devices as # devices * events/day. For each device type, calculate the events per second for all devices as events/day all devices * Total the events/day all devices for all device types. Total the events/sec all devices for all device types. Event archive storage worksheet You can use the event storage worksheet to calculate the amount of event archive disk space that you need to satisfy your data retention requirements. The event retention policies dictate how long the data must be available in the database before it can be purged. Table A-3 shows a typical archive storage worksheet. Table A-3 Archive storage worksheet Device type events/day all devices *.5K days events retained event storage Network Firewall Network IDS/IPS Host IDS/IPS Client AV/Firewall Server AV Domain Controllers HTTP Server VPN Server SOC Server Total You can calculate the event storage as follows:

68 68 Deployment planning tools Deployment planning checklists For each device type, enter the daily event storage rate as total events/day *.5K For each device type, enter the number of days that the event data must be retained. The longest retention rate will apply to all of the events that are stored in the same archive. For each device type, calculate the event storage as daily event storage * days retained Total the event storage for all device types. Deployment planning checklists Table A-4 provides a list of common questions that are addressed during the planning phase. Table A-4 Deployment planning checklist Checklist Event collectors Event collector questions: Where are the security products located? Where are their events located? Where will the event collectors be located? Will the event collectors have authorized access to the event sources? For example, the Windows Event Log Event Collector requires administrative rights. Does the administrator password change periodically? Are remote login user accounts permitted? In what format will the events be delivered to the Collector? Database events are collected in clear text over JDBC. Syslog event sources are also collected in clear text. What is the event collection impact on bandwidth? Are there any slow links? Are any event collectors separated from Information Manager by Network Address Translation (NAT)? Need to communication ports need opened? Event filtering, aggregation, and exclusion Event filtering, aggregation, and exclusion questions: Which events can be filtered at the event collector? Which events can be aggregated at the event collector? Which events need to be correlated, but do not need to be stored in the archive? Which events need to be stored in the archive, but do not need to be correlated?

69 Deployment planning tools Deployment planning checklists 69 Table A-4 Deployment planning checklist (continued) Checklist Event forwarding Event forwarding questions: Are the appropriate communication ports open? Are any appliances separated by Network Address Translation (NAT)? For a local cluster, do you need a cross-over cable? A dedicated switch? Correlation Correlation questions: What are the most critical systems your environment? What are the subnets? Are there any relevant policies that are not already identified by Information Manager? Are the rule event counts and thresholds appropriate for the security traffic in your environment? Data retention Data retention policy questions: For how long must the data be available in the database for immediate queries? Do the policies require that the data be in it's original format, for example, firewall logs, or can the data be translated into Information Manager events? What is the total size of the storage required to support the data retention policies? Roles Role questions: Will access need to be restricted to different console users? What types? By organizational unit? Will different users need different dashboards? Will a user be required to manage the Information Manager appliance (e.g., apply patches), but be restricted from viewing any data? Data maintenance Data maintenance questions: What is the database archive schedule? What is the directory backup schedule? How will the data archives be moved off of the appliances? Where will the archives be stored and how much space will the archives require? How will you restore the archive information if you need to view it?

70 70 Deployment planning tools Installation tables Installation tables You can use the following tables to document information for installing Symantec Security Information Manager and other devices. Table A-5 provides a template for recording critical information about each appliance. Table A-5 Record name Information Manager appliance key information Description Hostname FQDN IP address Subnet mask Default gateway Primary DNS Secondary DNS Information Manager domain Information Manager appliance version Number/Type of appliances deployed Information Manager appliance serial number Data retention period requested Table A-6 provides a template for recording critical information about each primary server. Table A-6 Record name Symantec AntiVirus primary server key information Description Hostname FQDN IP address SAV version

71 Deployment planning tools Installation tables 71 Table A-6 Record name Symantec AntiVirus primary server key information (continued) Description Number/Type of collectors deployed Number of AV nodes collecting event data Collector version Agent version Table A-7 provides a template for recording critical information about each parent server. Table A-7 Record name Symantec AntiVirus parent server key information Description Hostname FQDN IP address SAV version Number/Type of collectors deployed Number of AV nodes collecting event data Collector version Agent version Table A-8 provides a template for recording critical information about each client console. Table A-8 Information Manager client consoles key information Hostname IP address Console version Assigned user

72 72 Deployment planning tools Information Manager configuration tables Information Manager configuration tables In addition to the deployed components, you should track the following key configuration items: Installation settings (user names and passwords, for example) Information Manager Organizational Unit (OU) structure Information Manager rules Information Manager users Table A-9 provides a template for recording Information Manager installation settings. Table A-9 Description Information Manager installation settings Username Password Information Manager appliance:information Manager administration account - local or remote Information Manager console administrator account Table A-10 provides a template for recording the Organizational Unit structure that you choose to implement in Information Manager. Table A-10 Information Manager Organizational Unit structure Description Type Name Table A-11provides a template for recording common Information Manager roles. Table A-11 Information Manager roles Description Administrator Power user Read Only access Type Name Table A-12 provides a template for recording Information Manager user settings.

73 Deployment planning tools Information Manager configuration tables 73 Table A-12 Information Manager users Description Assigned role User name Password Administrator Administrator Administrator

74 74 Deployment planning tools Information Manager configuration tables

75 Appendix B Understanding the event life cycle This appendix includes the following topics: About the event life cycle About the event life cycle Figure B-1 shows the life cycle of an Information Manager event. Figure B-1 Event life cycle

76 76 Understanding the event life cycle About the event life cycle Information Manager processes security event data in the following manner: The event collector collects the raw event data from the security product. The event collector normalizes the event data and filters and aggregates the events according to the event collector configuration settings. The Agent sends the normalized events and, if so configured, the raw event data to the designated Information Manager. Information Manager stores the event in the event archive. Information Manager updates the event summary tables with the event information. Information Manager correlates the event, and, if the event triggers a correlation rule, creates an incident. Information Manager stores the incident in the incident database. Information Manager console users view incident and event reports.

77 Glossary collection compliance conclusion correlation correlation manager event aggregation event archive event collection event filtering event forwarding An that is primarily used to collect and forward events to a correlation appliance. Collection s can also archive events. Adherence to a policy or regulation. Policies and regulations can be internal, such as corporate IT standards, or external, such as HIPAA or Sarbanes-Oxley. The match of a rule pattern. Conclusions can be generated by the correlation manager or can be created manually. An that is primarily used to correlate events and manage incidents. Correlation s can also archive events. The component that identifies security threats and policy infractions by inspecting and tracking event data, asset vulnerabilities, and global threat information. The consolidation of multiple similar events into a single event. Aggregation reduces event traffic and storage by sending a single event that reports the count of the similar events that occurred. The repository for security event data. archives events in both normalized and original data formats. Event archives can be located on any logical volume, e.g., the local file system, direct attached storage, network attached storage, or a storage area network. The detection, gathering, and forwarding of events from a security product to an Information Manager system. The discarding of events according to a user-defined rule set. Filtering events at the event collector reduces event traffic and storage by identifying and eliminating false positive, or otherwise unwanted, events. Filtering events at the archive prevents the storage of unessential event data. Filtering events at the correlation manager eliminates the correlation of events that need not be considered for incident creation purposes. Filtering events at the event forwarder allows for selective event forwarding to another Information Manager for correlation or archiving purposes. The sending of events from one to another. You can configure Information Manager to send a filtered event stream to a remote.

78 78 Glossary incident Information Manager database normalization on-board event collector SSIM agent Symantec event collector Symantec Global Intelligence Network threat vulnerability The actionable result of a triggered correlation rule. sets incident priorities based on business impact and system criticality. Incidents can have associated analyst notifications, work-flow tasks, and remediation guidance. The repository for the assets, incidents, conclusions, and tickets. The translation of events from a security-product-specific format to format. normalizes events so that it can recognize threats across product families. An event collector that resides on the system. On-board event collectors do not require the SSIM agent, and they are pre-installed and pre-configured. The component that provides secure communications between the event collectors and the system. An Information Manager component that gathers events from a security product source and sends the events to for archiving and correlation. You can configure an event collector to forward original format event data and to filter and aggregate the event data according to rules that you define. The Symantec security intelligence service that provides global threat information, such as watch lists and threat condition alerts, to the appliance. An unwanted occurrence, such as a virus or a worm, that may result in harm to an asset. Threats often exploit vulnerabilities. A known weakness in an operating system or application that could be exploited by an attack. Vulnerabilities are discovered and reported by vulnerability scanning products.

79 Index Symbols correlation 77 A administrators tasks performed by 51 antivirus administrative roles 56 installation and configuration 56 appliances event forwarding 40 application event type 37 archive estimating storage requirements 38 asset scanners 47 availability rating 46 C checklists administration 52 antivirus deployment 57 deployment planning 68 event collection and storage 40 event correlation 48 CIA ratings collectors. See event collectors. See log collector. See state collector compliance 77 confidentiality rating 46 console access defining roles 50 users 56 correlation manager 77 correlation rules. See rules critical systems defining characteristics 45 D database storage worksheet 67 Domain Administrator role 50, 56 E estimation worksheets 65 event aggregation 36, 77 guidelines 37 event collection 77 planning checklist 40 event collectors firewall configuring 57 installing 57 functions 16 installing and configuring 16 on-board 78 types 16 event filtering 36, 77 guidelines 37 event rates estimating 35 worksheet 66 events collection planning 33 correlation checklist 48 planning tasks 43 excluding from Information Manager 37 false positive 36, 77 forwarding to another appliance 40, 77 life cycle 76 redundant 36 storage planning 33 examples event and incident rates 66 F false positive events 36, 77 forwarding events. See events

80 80 Index G Global Intelligence Network 19 H HIPAA 45 I incidents defined 78 Information Manager access 49 components 14 definitions of terms 14 even life cycle 75 Information Manager console. See console Information Manager solution defined 13 integrity rating 46 L log collector 57 N networks specifying attributes 44 noncritical systems 46 normalization 78 P policies specifying 46 S Sarbanes-Oxley 45 scan start and scan stop event types 37 SSIM agent 78 state collector 57 storage estimating requirements 38 planning checklist 40 Symantec Event Manager for AntiVirus components 57 deployment checklist 57 installing and configuring 57 system event type 37 systems critical 45 Information Manager 16 noncritical 46 T threat 78 V virus repaired event type 37 vulnerability 78 vulnerability scanners 47 W Windows Event Log 37 worksheets database storage 67 estimating deployment size 65 event rate 66 R ratings CIA redundant events 36 roles administrative 51 creating 50 Domain Administrator 56 monitor 51 types 51 rules customizing 47